Programmed electronic devices have become ubiquitous. In most of these devices, it is desirable to provide at least some level of assurance of the integrity of the software stored in the device. For example, if the programmed electronic device is an embedded device controlling functions of an automotive braking system, any tampering with the software stored in the device may be very dangerous. As another example, if the programmed electronic device is a mobile communication device like, for example, a mobile telephone, unauthorized software may spy out confidential information, may incur unwanted charges or may circumvent restrictions like, for example, digital rights management settings. There is therefore a need in the above-mentioned and other programmed electronic devices that the software executed by the device can be trusted.
In principle, all software that is stored in a mutable memory of the programmed electronic device may be a possible target for an attack. Any interface of the programmed electronic device may be used in the attack. For example, manipulated SMS or manipulated WAP data may use a security hole of a browser or message reader to introduce malicious code. It is also possible that a user intentionally tries to change the software stored in the programmed electronic device. In this case, the device is especially vulnerable if the software is stored in a memory that is external to a main semiconductor circuit of the programmed electronic device. Such an external memory may be, for example, an EEPROM or FLASH memory that is located on a printed circuit board of the programmed electronic device or on an external memory card.
It is known in the field of mobile telephones to check the integrity of the application software when starting up the device. A successful integrity check indicates that the software has not been altered or tampered with and can therefore be trusted. For example, the software may be associated with a signature that is or contains a cryptographic hash value of the software. Such a hash value is commonly called a Cryptographic Checksum or Message Authentication Code (MAC) or Integrity Check Value. During the process of starting up the telephone, the cryptographic hash value of the software is re-computed and compared with the value stored in the signature. If both values coincide, the integrity check succeeds, and the software is deemed to be acceptable for execution.
It is important that the cryptographic hash value contains a secret component. Otherwise, an attacker could easily build a new signature matching any modified software. The secret component may be a secret key that is used when calculating the cryptographic hash value of the software both during signature creation and during each startup integrity check. For example, the cryptographic hash value of the software may be obtained from processing the software—seen as a byte sequence—in a DES block mode operation using the secret key. The last resulting block—or a part thereof—may constitute the cryptographic hash value.
The secret information—for example, the secret key—must be stored in the programmed electronic device because it is required for the software integrity check each time the device is started up. On the other hand, the secret information must be hidden from a possible attacker in order to ensure that the attacker cannot calculate a new signature for any modified software. If the secret information is stored, for example, in a one-time programmable (OTP) memory of the programmed electronic device, there is the risk that an attacker may discover and access the secret information. For example, techniques like the use of malicious software or buffer overflows could potentially be employed to execute code to discover the secret key.
Even if the attacker cannot access the secret information directly, there is still the risk that the attacker may manage to execute software or hardware functions of the programmed electronic device that in turn access and use the secret information. For example, such functions could be used by the attacker to encrypt or decrypt data or to generate a valid signature for modified software.